About events, incidents, and entities

An event is generated when Symantec Advanced Threat Protection (ATP) detects that an activity occurred. For instance, events are generated when a malicious file is downloaded, or a benign executable file is created. Not all events are malicious, such as a reputation request of a healthy file.

An incident is a collection of one or more events that represent a significant risk to the organization. Incidents include the events that Symantec Endpoint Protection has blocked, because even blocked events contribute to a more complete picture of the larger attack. What's more, not all malicious events are escalated to incidents.

For example, assume a user visits a spoofed website with a bad reputation. If there is no indication that the user's endpoint became infected or downloaded anything malicious, the event is not likely raised to an incident. ATP does not deem it important enough to bring to an incident responder's attention. However, the event is still recorded.